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Abstract. For q a prime power, the discrete logarithm problem (DLP) in consists in finding, 
for any ^ and h £ (g), an integer x such that — h. We present an algorithm for com¬ 

puting discrete logarithms with which we prove that for each prime p there exist infinitely many 
explicit extension fields in which the DLP can be solved in expected quasi-polynomial time. 
Furthermore, subject to a conjecture on the existence of irreducible polynomials of a certain form, 
the algorithm solves the DLP in all extensions Fpn in expected quasi-polynomial time. 


1 Introduction 

In this paper we prove the following result. 

Theorem 1. For every prime p there exist infinitely many explicit extension fields Fpn in which 
the DLP can be solved in expected quasi-polynomial time 

exp ((l/log2-Lo(l))(logn)^). (1) 

Theorem 1 is an easy corollary of the following much stronger result, which we prove by 
presenting a randomised algorithm for solving any such DLP. 

Theorem 2. Given a prime power g > 61 that is not a power of 4, an integer k > 18, co¬ 
prime polynomials ho, hi € of degree at most two and an irreducible degree I factor I of 

hiX'? — ho, the DLP in F^h = ¥gk[X]/{I) can be solved in expected time 

qiog2 i+0{k)^ ^2) 

To deduce Theorem 1 from Theorem 2, note that thanks to Kummer theory, when I = q — 1 
such ho, hi are known to exist; indeed, for all k there exists an a G F^/c such that L = — a G 

Fqfc[JL] is irreducible and therefore / | JT? — aX. By setting g = p* > 61 for any i > 1 (odd 
for p = 2), A; = 18, / = g — 1 = p® — 1 and finally n = ik{p^ — 1), applying (2) proves that the 
DLP in this representation of Fp^ can be solved in expected time (1). As one can compute an 
isomorphism between any two representations of F^n in polynomial time [16], this completes the 
proof. Observe that one may replace the prime p in Theorem 1 by a (fixed) prime power p®” by 
setting k = 18r in the argument above. 

In order to apply Theorem 2 to the DLP in Fp^ with p fixed and arbitrary n, one should first 
embed the DLP into one in an appropriately chosen F^kn. By this we mean that q = should 
be at least n — 2 (so that ho, hi may exist) but not too large, and that 18 < A; = o(log q), so that 
the resulting complexity (2) is given by (1) as n —)• oo. Proving that appropriate ho, hi G Fqfc[Jf] 

* Supported by the Swiss National Science Foundation via grant number 200021-156420. 

** This work was mostly done while the author was with the Laboratory for Cryptologic Algorithms, FPFL, 
Switzerland, supported by the Swiss National Science Foundation via grant number 200020-132160. 

* * * This work was mostly done while the author was with the Institute of Algebra, TU Dresden, Germany, supported 
by the Irish Research Council via grant number ELEVATEPD/2013/82. 



exist for such q and k would complete our approach and prove the far stronger result that the 
DLP in Fpn with p fixed can be solved in expected time (1) for all n. However, this seems to be 
a very hard problem, even if heuristically it would appear to be almost certain. 

Note that if one could prove the existence of an infinite sequence of primes p (or more 
generally prime powers) for which p — 1 is quasi-polynomially smooth in logp, then the Pohlig- 
Hellman algorithm [17] would also give a rigorous - and deterministic - quasi-polynomial time 
algorithm for solving the DLP in such fields, akin to Theorem 1. However, such a sequence is 
not known to exist and even if it were. Theorem 1 is arguably more interesting since the present 
algorithm exploits properties of the fields in question rather than just the factorisation of the 
order of their multiplicative groups. Furthermore, the fields to which the algorithm applies are 
explicit, whereas it may be very hard to find members of such a sequence of primes (or prime 
powers), should one exist. 

The first (heuristic) quasi-polynomial algorithm for discrete logarithms in finite fields of 
fixed characteristic was devised by Barbulescu, Gaudry, Joux and Thome [2], building upon 
an approach of Joux [14]. We emphasise that the quasi-polynomial algorithm presented here 
relies on a different principal building block, whose roots may be found in the work of Gologlu, 
Granger, McGuire and Zumbragel [10]. In contrast to the algorithm of Barbulescu et al., the 
present algorithm eliminates the need for smoothness heuristics; this feature as well as the 
algebraic nature of the algorithm makes a rigorous analysis possible. 

The sequel is organised as follows. In Section 2 we present the algorithm, which involves the 
repeated application of what is referred to as a descent. In Section 3 we describe our descent 
method, provide details of its building block and explain why its successful application implies 
Theorem 2, and hence Theorem 1. Finally, in Section 4 we complete the proof of these theorems 
by demonstrating that every step of each descent is successful. 

2 The algorithm 

As per Theorem 2, let g > 61 be a prime power that is not a power of 4 and let /c > 18 be an 
integer; the reasons for these bounds are explained in Sections 3 and 4. We also assume there 
exist ho, hi, I G Fgfc[X] satisfying the conditions of Theorem 2. Finally, let g G F^j,; and let 
h G (g) be the target element for the DLP to base g. 

The structure and analysis of the algorithm closely follows the approach of Diem in the 
context of the elliptic curve DLP [8], which is based on that of Enge and Gaudry [9]. However, 
a difference is that it obviates the need to factorise the group order. 

Input: A prime power g > 61 that is not a power of 4; an integer /c > 18; a positive integer /; 
polynomials ho,hi,I G Fgfe[X] with ho,hi being coprime, deg(/io),deg(/ii) < 2 and I a degree I 
irreducible factor of hiX^^ — ho', g € ^^d h G {g). 

Output: An integer x such that g^ = h. 

1. Let N = — 1, let T = {F G F,jfc[X] | degF < 1, F / 0} U {hi} and denote its elements 

by Fi,..., Fm, where m = |F| = q^^ (or q^^ — 1 if deg hi <1). 

2. Construct a matrix R = (rjj) G (Z/A'Z)^™''''^)^™' and column vectors a,/3 G as 

follows. For each i with 1 < i < m-F 1 choose a*,/?* G 'LjN'L uniformly and independently at 
random and apply the (randomised) descent algorithm of Section 3 to g°‘*h^^ to express this as 

m 

g^ihhi = JJ(i?j mod 
i=i 

3. Compute a lower row echelon form R' of R by using invertible row transformations; apply these 
row transformations also to a and /3, and denote the results by a' and /?'. 

4. If gcd(/?[, A^) > 1, go to Step 2. 

5. Return an integer x such that a} + xjS} = 0 (mod N). 
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We now explain why the algorithm is correct and discuss the running time, treating the 
descent in Step 2 as a black box algorithm for now. Henceforth, we assume that any random 
choices used in the descent executions are independent from each other and of the randomness 
of a and /3. For the correctness, note that = 1 holds after Step 3, since the first row of R' 

vanishes. Thus for any integer x such that a'l + = 0 (mod N) we have = h, provided 

that I3[ is invertible in Z/A^Z. 

Lemma 1. After Step 3 of the algorithm the element /3( G Z/iVZ is uniformly distributed. 
Therefore, the algorithm succeeds with probability ip{N)/N, where (p denotes Euler’s phi function. 

Proof. We follow the argument from [9, Sec. 5] and [8, Sec. 2.3]. As h € (g), for any fixed value 
j5i = b ^ 'Ll NT, the element g^^hf’ is uniformly distributed over the group {g), therefore the 
element g°^^hl^^ is independent of (3i. As the executions of the descent algorithm are assumed 
to be independent, we have that the row (r^^i,..., is also independent of f3i. It follows 
that the matrix R is independent of the vector /3. Then the (invertible) transformation matrix 
U G is also independent of /3, so that /3' = U/3 is uniformly distributed over 

(Z/AiZ)™+^, since fd is. From this the lemma follows. 

Regarding the running time, for Step 3 we note that a lower row echelon form of R can be 
obtained using invertible row transformations as for the Smith normal form, which along with the 
corresponding transformation matrices can be computed in polynomial time [15], so that Step 3 
takes time polynomial in m and log N. Furthermore, from [18] we obtain N/(p{N) G 0(log log N). 
Altogether this implies that the DTP algorithm has quasi-polynomial expected running time 
(in log A"), provided the descent is quasi-polynomial. We defer a detailed complexity analysis of 
the descent to Section 3. 

Observe that the algorithm does not require s' to be a generator of which is in practice 
hard to test without factorising N. In fact, the algorithm gives rise to a Aponte Carlo method for 
deciding group membership /i G {g). Indeed, if a discrete logarithm ioggh has been computed, 
then obviously /i G {g); thus ii h ^ (g), we always must have gcd(/3(. A) > 1 in Step 4. 

Practitioners may have noticed inefficiencies in the algorithm. For example, in the usual 
index calculus method one precomputes the logarithms of all factor base elements and then 
applies a single descent to the target element to obtain its logarithm. Moreover, one usually 
first computes the logarithm in i.e., one ignores multiplicative constants and therefore 

includes only monic polynomials in tire factor base, obtaining the remaining information by 
solving an additional DLP in F^^,. However, the setup as presented simplifies and facilitates our 
rigorous analysis. 

3 The descent 

In this section we detail the building block behind our descent method and explain why its 
successful application implies Theorem 2. Let g be a prime power, k and I positive integers and 
let R = Fgfc [A, Y]. The setup for the target field W^ki has irreducible polynomials fi = Y—X^ G R 
and f 2 = hiY — ho £ R with ho, hi G Fgfc[A] coprime of degree at most two and /iiA'? — ho 
having an irreducible factor I of degree I, i.e., R 12 = ¥gk[X,Y]/{fi, f 2 ) is a finite ring surjecting 
onto Fgki = Fgfc[A]/(/).f This implies Ri = R/{fi) = Fgfc[A] and R 2 = R/{f 2 ) — Fgfc[A][^], and 
from now on we identify elements in Ri and R 2 with expressions in X via these isomorphisms. 
The setup is summarised in Fig. 1. 

By the phrase “rewriting a polynomial Q (in Ri or R 2 ) in terms of polynomials Pi (in Ri 
or R 2 )” we henceforth mean that in the target field the image of Q equals a product of (positive 
or negative) powers of images of Pi. If the Pi are of lower degree then one has eliminated 

^ One can equally well work with /2 = hiX — ho with hi G [T] of degree at most two, where hi{X'^)X — ho{X‘^) 
has a degree I irreducible factor, as proposed in [12], with all subsequent arguments holding mutatis mutandis. 


3 



R = F,;c [X, y] 


Ri = R/{fi) R2 = R/{f2) 


Rl2^R/ifl,f2) 


Fgfci 

Fig. 1; Setup for the target field ¥gki 

the polynomial Q. Typically such rewritings are obtained by considering V mod /i € Ri and 

V mod /2 G i? 2 , where V € R. Since hi usually appears in V mod / 2 , it is adjoined to the factor 
base R, and for the sake of simplicity it is sometimes suppressed in the following description. 
Accordingly, a descent is an algorithm that rewrites any given nonzero target held element, 
represented by a polynomial Q, in terms of polynomials Fj of the factor base, i.e., of degree < 1. 

3.1 Degree two elimination 

In this subsection we review the on-the-hy degree two elimination method from [10], adjusted 
for the present framework. In [4] the major portion of the set of polynomials obtained as linear 
fractional transformations of — A is parameterised as follows. Let be the set of i? G 
such that the polynomial — BX + B splits completely over ¥^k , the cardinality of which 

is approximately [4, Lemma 4.4]. Scaling and translating these polynomials means that all 
the polynomials + aX^ + bX + c with c ^ ab, h ^ and B = split completely 

over Fqfc whenever B £ B^- 

Let Q (viewed as a polynomial in R2) be an irreducible quadratic polynomial to be eliminated. 
We let Lq C Fgfc[X]^ be the lattice dehned by 

Lq = {{wo,wi) £¥^k[X]‘^ \ woho + wihi = 0 (mod Q)}. (3) 

In the case that Q divides woho + wihi 7^ 0 for some wo,wi G Fg*, then Q = w{woho + wihi) 
for some w G F^j,, since the degree on the right hand side is at most two. Therefore, Q can be 
rewritten in terms of wqX'^ + tci = (wq^'^X + G Ri (and hi), by considering the element 

V = wqY + wi £ R. We will say in this case that the lattice is degenerate. 

In the other (non-degenerate) case, Lq has a basis of the form {l,uoX -|- ui), (X, uqX -|- ui) 
with Ui,Vi £ Fgfc. Since the polynomial V = XY-j-aY+bX+c maps to ^((X-|-a)/io + (6X-|-c)/ii) 
in R2, Q divides V mod /2 if and only if (X -|- a,bX -|- c) G Lq. Note that the numerator of 

V mod /2 is of degree at most three, thus it can at worst contain a linear factor besides Q. If the 

triple {a,b,c) also satishes c ^ ab, b ^ and G Bk, then V mod fi splits into linear 

factors and thus Q has been rewritten in terms of linear polynomials. 

Algorithmically, a triple (a, b, c) satisfying all conditions can be found in several ways. Choos¬ 
ing a B £ Bk, considering (X -|- a,bX -|- c) = a(l,iioX-|- wi) -|- (X, uqX-I- ui) and rewriting 
b = uoa + Vo and c = uia + vi gives the condition 

B = (-a» + ...» + ..o)»+‘ ^ ( 

{-uoR -I- (-Uo -I- tti)a -I- Vi)i 

By expressing a in an ¥^k/¥g basis, (4) results in a quadratic system in k variables [11]. Using 
a Grobner basis algorithm the running time is exponential in k. Alternatively, and this is one 






4 



of the key observations for the present work, equation (4) can be considered as a polynomial of 
degree + qm. a whose roots can be found in (deterministic) polynomial time in q and in k by 
using an algorithm of Berlekamp [3]. One can also check for random (a, b, c) such that the lattice 
condition holds, whether + aX^ + bX + c splits into linear polynomials, which happens 

with probability q~^. Each such instance is also polynomial time in q and in k. 

These degree 2 elimination methods will fail when Q divides hiX^^ — ho, because this would 
imply that the polynomial V mod /i = ^aX*^ + bX +c is divisible by Q whenever V mod /2 

is, a problem first discussed in [ 6 ]. Such polynomials Q or their roots will be called traps of level 0. 
Similarly, these degree 2 elimination methods might also fail when Q divides hiX^ —ho, in 
which case such polynomials Q or their roots will be called traps of level k. 

Note that for Kummer extensions, i.e., when hi = 1 and ho = aX for some a G there are 
no traps and hence much of the following treatment is not required for proving only Theorem 1. 
However, it is essential to consider traps for proving the far more general Theorem 2. 

3.2 Elimination requirements 

The degree two elimination method can be transformed into an elimination method for irre¬ 
ducible even degree polynomials. We now present a theorem which states that under some as¬ 
sumptions this degree two elimination is guaranteed to succeed, and subsequently demonstrate 
that it implies Theorem 2. 

An element r G F fc for which [F fc(r) : F k] = 2d is even and /ii(r) / 0, is called a trap 
root if it is a root of hiX'^ — ho or hiX'^ —ho, or if ^{t) G ¥^kd. Note that the sets of trap 
roots is invariant under the absolute Galois group of F^k. A polynomial in Ri or i ?2 is said to 
be good if it has no trap roots; the same definitions are used when the base field of Ri and R 2 
is extended. This definition encompasses traps of level 0, of level kd, and the case where for 
Q ^ hi the lattice Lq is degenerate. 

Theorem 3. Let q > 61 be a prime power that is not a power of 4, let k > IS he an integer 
and let ho, hi G Fgfc[X] be coprime polynomials of degree at most two with hiX^ — ho having 
an irreducible degree I factor. Moreover, let d > 1 he an integer, let Q G Fqfcd[X], Q ^ hi he 
an irreducible quadratic good polynomial, and let {l,uoX + ui), {X,voX + ui) be a basis of the 
lattice Lq in (3), now overV^kd. Then the number of solutions {a, B) G ¥gkd xBkd of (4) resulting 
in good descendents is at least . 

This theorem is of central importance for our rigorous analysis and is proven in Section 4. 

3.3 Degree 2d elimination and descent complexity 

Now we demonstrate how the degree two elimination gives rise to a method for eliminating 
irreducible even degree polynomials, which is the crucial building block for our descent algorithm. 
As per Theorem 3, let g > 61 be a prime power that is not a power of 4, let k > 18, and let 
ho, hi, I as before. 

Proposition 1. Let d>l and Q G R 2 , Q 7 ^ hi, be an irreducible good polynomial of degree 2d. 
Then Q can be expressed in terms of at most q + 2 irreducible good polynomials of degrees 
dividing d, in an expected running time polynomial in q and in d. 

Proof. Over the extension ¥qkd the polynomial Q splits into d irreducible good quadratic poly¬ 
nomials, which are all conjugates under Gal(Fqfcd/Fgfc); let Q' be one of them. Since Q' 7 ^ hi 
is good it does not divide woho + wihi 7 ^ 0 for some wo,wii G ¥^kd. By Theorem 3, with an 
expected polynomial number of trials, the degree two elimination method for Q' G ¥^kd[X\ pro¬ 
duces a polynomial P' G ¥qkd[X,Y] such that P' mod fi splits into a product of at most q + 1 
good polynomials of degree one over ¥^kd and such that {P' mod f 2 )hi is a product of Q' and 


5 



a good polynomial of degree at most one. Let P be the product of all conjugates of P' under 
Gal(Fgfcti/Fqfc). As the product of all conjugates of a linear polynomial under Gal(Fqfcd/Fqi;) is 
the di-th power of an irreducible degree ^2 polynomial for di and d 2 satisfying did 2 = d, the 
rewriting assertion of the proposition follows. 

The three steps of this method - computing Q', the degree two elimination (when the second 
or third approach listed above for solving (4) is used), and the computation of the polynomial 
norms ~ all have running time polynomial in q and in d, which proves the running time assertion. 

By recursively applying Proposition 1 we can express a good irreducible polynomial of degree 
2®, e > 1, in terms of at most (g + 2)® linear polynomials. The final step of this recursion, namely 
eliminating up to {q + 2 )®“^ quadratic polynomials, dominates the running time, which is thus 
upper bounded by {q + 2 )® times a polynomial in q. 

Lemma 2. Any nonzero element in W^ki can be lifted to an irreducible good polynomial of de¬ 
gree 2® in Fqfc[A], provided that 2® > 4/. 

Proof. By the effective Dirichlet-type theorem on irreducibles in arithmetic progressions [19, 
Thm. 5.1], for 2® > 4Z the probability of irreducibility for a random lift is lower bounded by 
2 “®“^. One may actually find an irreducible polynomial of degree 2 ® which is good, since the 
number of possible trap roots (< is much smaller than the number (> gi^( 2 ®-Z) 2 -e-i^ 

of irreducibles produced by this Dirichlet-type theorem. 

Finally, putting everything together (and assuming Theorem 3) proves the quasi-polynomial 
expected running time of a descent and therefore the running time of the algorithm, establishing 
Theorem 2. 

Note that when q = L^ki^a), where Li\f{a) for a G [0,1] is the usual sub exponential function 
exp(0((log A^)"(loglog as in [2] the complexity stated in Theorem 2 is L^ki^a + o(l)), 

which is therefore better than the classical function field sieve for a < ^. 

Also note that during an elimination step, one need not use the basic building block as 
stated, which takes the norms of the linear polynomials produced back down to ¥gk. Instead, 
one need only take their norms to a subfield of index 2 , thus becoming quadratic polynomials, 
and then recurse, as depicted in Fig. 2. 



Fig. 2: Elimination of irreducible polynomials of degree a power of 2 when considered as elements 
of Fqfc[A]. The arrow directions \,^ and \ indicate factorisation, degree 2 elimination and 
taking a norm with respect to the indicated subfield, respectively. (We have suppressed the rare 
cases, where linear polynomials are already in a subfield of index 2 .) 
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4 Proof of Theorem 3 


In this section we prove Theorem 3, which by the arguments of the previous section demonstrates 
the correctness of the algorithm and the main theorems. 

4.1 Notation and statement of supporting results 

Let K = ¥^kd where kd > 18, let L = ¥q 2 kd be its quadratic extension, and let B be the set of 
B G such that the polynomial — BX + B splits completely over K. Using an elementary 

extension of [13, Prop. 5] we have the following characterisation; we add a short proof for the 
reader’s convenience. 

Lemma 3. The set B equals the image of K \ Fq 2 under the map 

u I—>• -r" 2 TT • 

{u - u‘iy+^ 

Proof. We consider the action of PGL 2 (iL) on polynomials, cf. Subsection 4.4. For u £ K \ Fg 2 
the matrix 




with A 


{u - uiy 
{u — u‘3)(u — 


and pL = 


1 

u — u1 


transforms the polynomial — X into — BX + B with B = Thus the set B 

, r , {u-ui)r+i 

contains the image of the map. 

Conversely, assume that X^~^^ — BX + B splits completely and B ^ 0. Since the polynomial 
has no double roots, it is — X transformed under some g G PGL 2 (X). As the polynomial has 
degree q + 1 the matrix g can be decomposed as above, a priori with different A and p.. Since 
the shape of the polynomial determines A and pL in terms of u, B must be as above. 


Now let Q be an irreducible quadratic polynomial in X[X] such that a basis of its associated 
lattice Lq in (3), now over K, is given by {l,uoX + ui), {X,voX + ui). Then Q is a scalar 
multiple of —uqX'^ + (—+ vo)X + vi. By Lemma 3 and (4), in order to eliminate Q we need 
to find {a,u) £ K x {K \ Fg2) satisfying 

{u — {—uoo^ + {—Vo + ui)a + viY — {u — + uqu + voy~^^ = 0. 


The two terms have a common factor {u — u^y~^^ which motivates the following definitions. Let 
a = —uo, /3 = ui — Vo, j = vi and S = —vo with a, /3,j,S £ K, as well as 


D = 


- U 
U1-U 


n (U--:) 

eeF^2\F9 


E=w-u= 

eeF, 

F = aA^ + fiA + ^ = a{A-pi){A-P 2 ) with pi,p 2 £L, 


G = A'^ + aA + S and 


P = G K[A, U], 


Note that F equals Q{—A) (up to a scalar), so that deg(F) = 2, F is irreducible and pi,p 2 ^ K. 
We consider the curve C defined by P = 0 and are interested in the number of (affine) points 
{a,u) £ C{K) with u ^ Fg 2 . More precisely, we want to prove the following. 


7 



Theorem 4. Let q> Q1 he a prime power that is not a power of 4. If the conditions 

(*) pI + ap2 + 5/0 

(**) p\ + api + 5/0 

hold then there are at least pairs {a,u) ^ K x (K \ Fq 2 ) satisfying P{a,u) = 0. 

The relation of the two conditions to the quadratic polynomial Q as well as properties of 
traps are described in the following propositions. 

Proposition 2. If condition (*) is not satisfied, then Q divides hiX'^ — ho, i.e., Q is a trap 

kd-\-l 

of level 0. If condition (**) is not satisfied, then Q divides hiX^ — ho, i-e., Q is a trap of 
level kd. In particular, if Q is a good polynomial then conditions (*) and (**) are satisfied. 

Proposition 3. Let {a,u), {a',u') £ K x {K \¥g 2 ) be two solutions of P = 0 with a / a', 
corresponding to the polynomials Va = XY + aY + bX + c and Va' = XY + a'Y + h'X + c', 
respectively. Then Va mod fi and Va’ mod fi have no common roots. Furthermore, the common 
roots ofVa mod /2 and Va' mod /2 are precisely the roots of Q. 

Now we explain how (for q> not a power of 4) Theorem 3 follows from the above theorem 
and the propositions. Since the irreducible quadratic polynomial Q is good, the lattice Lq is non¬ 
degenerate so that a basis as above exists, and by Proposition 2 the two conditions of Theorem 4 
are satisfied. The map of Lemma 3 is ( 7 ^ — (7 : 1 on K\¥q 2 , hence there are at least solutions 

{a, B) £ K X B of (4), which contain at least different values a £ Observe that a trap 

root T that may occur in this situation is a root of hiX^ — ho, or of hiX^^ — ho for d' \ or 
it satisfies £ ¥^kd/ 2 . The cardinality of these trap roots is at most By Proposition 3 

a trap root can appear in Va mod fj for at most two values a, at most once for j = 1 and at most 
once for j = 2. Hence there are at most ( 7 “ 2 "+^ < values a for which a trap root appears in 

Va mod fj, j = 1, 2. Thus there are at least different values a for which a solution (a, B) 

leads to an elimination into good polynomials. This finishes the proof of Theorem 3, hence we 
focus on proving the theorem and the two propositions above. 

4.2 Outline of the proof method 

The main step of the proof of the theorem consists in showing that, subject to conditions (*) 
and (**), there exists an absolutely irreducible factor Pi of P that lies already in K[A, U]. Since 
the (total) degree of Pi is at most q^ + q, restricting to the component of the curve defined 
by Pi and using the Weil bound for possibly singular plane curves gives a lower bound on the 
cardinality of C{K) which is large enough to prove the theorem after accounting for projective 
points and points with second coordinate in Fq 2 . This argument is given in the next subsection 
before dealing with the more involved main step. 

For proving the main step the action of PGL 2 (Fg) on the variable U is considered. An ab¬ 
solutely irreducible factor Pi of P is stabilised by a subgroup Si C PGL 2 (Fg) satisfying some 
conditions. The first step is to show that, after possibly switching to another absolutely irre¬ 
ducible factor, there are only a few cases for the subgroup. Then for each case it is shown that 
the factor is defined over K[A, U\ or that one of the conditions on the parameters is not satisfied. 
The propositions are proven in the final subsection. 

4.3 Weil bound 

Let Cl be the absolutely irreducible plane curve defined by Pi of degree di < q^+q. Corollary 2.5 
of [1] shows that 


\#Ci{K) - - 1| < {di - l){di - 2)qf. 



Since deg^(Pi) < + q there are at most + q^ affine points with u G Fg 2 . The number of 
points at infinity is at most di < q^ + q < Denoting by Ci{Ky the set of affine points in 
Ci{K) with second coordinate u 0 Fg 2 one obtains 

|#Ci(Kr| > - {q^ + qy - d, - (di - l)(di - 2)g¥ > _ g¥+8 > 

since kd > 18, thus proving the theorem if there exists an absolutely irreducible factor Pi defined 
over K[A, U]. 


4.4 PGL 2 action 


Here the following convention for the action of PGL 2 (Fq) on and on polynomials is used. A 
matrix ^ G PGL 2 (Fg) acts on P^(M), where M is an arbitrary field containing Fg, by 


(xo : xi) 



(xo : xi) 


(axo + hxi : cxq + dxi) 


or, via P^(M) = M U { 00 }, by x i-)- This is an action on the left, i.e., for ct, r G PGL 2 (Fg) 

and X G P^(M) the following holds: (T(r(x)) = (aT)(x). On a homogeneous polynomial H in 

the variables (Aq ; Ai) the action of a = given by H"{Xo : Ai) = H{aXQ + 6 A 1 : 

cAq + dAi). This is an action on the right, satisfying . In the following we will 

usually use this action on the dehomogenised polynomials given by H"{X) = clearing 

denominators in the appropriate way. 

The polynomial P G (A[A])[P] is invariant under PGL 2 (Fg) acting on the variable U; this 
can be seen by considering the actions of ^ 


is generated by these matrices. Let 


0 1 


and f i ), and noticing that PGL 2 (Fgi 


0 1 


1 0 


P = sl[Pi, 

i=l 


Pi G {K[A])[U], s G K[A], 


be the decomposition of P in (A[A])[P] into irreducible factors P* and possibly reducible s. 
Notice that s must divide P”? and hence it divides a power of gcd(P, G). As F is irreducible, 

gcd(P, G) is either constant or of degree two. In the latter case pi is a root of G contradicting 
condition (**). Therefore one can assume that s G A is a constant. 

Let 

_ 

P = F'^ll{U-ri), neKiA), 

i=l 

be the decomposition of P in K{A)[U]. Then PGL 2 (Fq) permutes the set {xj} and, since fixed 
points of PGL 2 (Fq) lie in Fg 2 but r* ^ Fq 2 , the action is free. Since #PGL 2 (Fq) = q^ — q the 
action is transitive. 

Therefore the action on the decomposition over K[A, U] is also transitive (adjusting the Pi 
by scalars in K[A] if necessary). Denoting by Si C PGL 2 (Fg) the stabiliser of P* it follows that 
all Si are conjugates of each other, thus they have the same cardinality and hence q^ — q = g-ySi. 
Moreover the degree of Pi in U is constant, namely deg^(Pj) = #Sj, and also the degree of Pi 
in A is constant, thus g \ q'^ + q = degy^(P). In particular, q — I \ H^Si and deg^(Pi) = 
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4.5 Subgroups of PGL 2 

The classification of subgroups of PSL 2 (Fq) is well known [7] and allows to determine all sub¬ 
groups of PGL 2 (Fq) [5]. Since is divisible by g — 1 (in particular > 60), only the 
following subgroups are of interest (per conjugation class only one subgroup is listed): 


1 . the cyclic group 


of order q — I, 


subgroups 


2. the dihedral group f * ^ j U f ^ J j of order 2{q — 1) and, if q is odd, its two dihedral 


{(01) \ C' ^ ^ square| | | c 7^ 0 a squarej and 

I f A \ r \ 

lloij square ^ square j, 


both of order q — 1 , 

Q ^ 1 of order q^ — q, 

4. if q is odd, PSL 2 (Fg) of index 2, 

5. if g = q'^ is a square, PGL 2 (Fg/) of order q'^ — q' = q'{q — 1), and 

6. PGL2(F,). 

In the last case P is absolutely irreducible, thus it remains to investigate the first five cases 
which are treated in the next subsection. 

Remark: The condition q > 61 rules out some small subgroups as A 4 , S 4 , and A^. In many 
of the finitely many cases q < 61 the proof of the theorem also works (e.g., q not a square and 
q — l\ 120). The condition of q not being a power of even exponent of 2 eliminates the fifth case 
in characteristic 2 ; removing this condition would be of some interest. 


4.6 The individual cases 

Since the stabilisers Si are conjugates of each other, one can assume without loss of generality 
that Si is one of the explicit subgroups given in the previous subsection. Then the polynomial 
Pi is invariant under certain transformations of U, so that Pi and P can be rewritten in terms 
of another variable as stated in the following. 

If a polynomial (in the variable U) is invariant under U 1 —> all, a G FJ, it can be considered 
as a polynomial in the variable V = For the polynomials D and one obtains 

D = ^ and = V(y - 1)'?-^ 

Similarly, in the case of odd q, if a polynomial is invariant under U 1 —)■ all for all squares 
a G Fg , it can be rewritten in the variable V = P^. For D and this gives 

Yl2q+2 _ 1 

D = ^- and P*?-! = R'2(P'2 _ 

k— 1 

If a polynomial is invariant under P 1 —>■ P -|- 6 , 6 G Fg, it can be considered as a polynomial 
in R = P'^ — P which gives 

D = + 1 and = V^-^. 

Combining the above yields that a polynomial which is invariant under both P 1 —)■ all, 
a G Fg , and U U + b, b £ Fg, can be considered as a polynomial in IF = = ([/<? — UY~^. 

For D and E^~^ one obtains 

P = IF + 1 and = IF. 

This is now applied to the various cases for Si. 
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The cyclic case Rewriting P and Pi in terms of R = ^ one obtains 


P = 


/R'Z+l - 1 
V V-1 


9+1 


i?<? _ V1{V - 1)'?" 


-QQQ+l 


anddegy(Pi) = 1, i.e., Pi = piV-po with pi G K[A], gcd(po,Pi) = 1, max(deg(po), deg(pi)) = 1 
and it can be assumed that pq is monic. 

The divisibility Pi | P transforms into the following polynomial identity in -P[^]: 

/„9+l _ \ 0+1 9 

/Po- p^\ F<^=plpl{p,-p,y 

^ PO-Pi 

The degree of the first factor on the left hand side is either + q or — 1 (if po — C^pi is 
constant for some ( G ;Uq+i(Fq 2 ) \ {!}). Since the degrees of the other factors are all divisible 
by q, the latter case is impossible. Since deg(P) = 2 one gets deg(P'i) = 2q. Furthermore, 
deg((poPi)^) S {q,2q}, deg((po — Pi)'^ S {0, — q} and deg(Gi+^) = q"^ + q which implies 

deg(po - Pi) = 0, deg(^) = deg(pi) = 1 since q > 2. _ 

Let po — Pi = Cl (z K; in the following Cj will be some constants in K. Since the first factor 
on the left hand side is coprime to poPi) h follows 



9+1 

Pi 


Po -Pi 


C 2 G, F = C 3 P 0 P 1 and = cf 


Exchanging pi and p 2 , if needed, one obtains 


Po = A-pi, pi = A-p 2 , C 3 = a and ci = p 2 -pi. 


Considering the coefficient of A'^ in the equation for G gives C 2 = 1 and evaluating this equation 
at A = p 2 gives 

Pi + Oip2 + (5 = 0. 

This means that condition (*) does not hold. 


The dihedral cases The case of the dihedral group of order 2{q — 1) is considered first. Then, 
as above, P and Pi can be expressed in terms of V, and, since P and Pi are also invariant under 
V y, they can be expressed in terms of 1T+ = V + y. This gives degiy^(Pi) = 1 and with 
^ = Pq+l(^q^) \ { 1 } 

( 1 T+ - (^ + and 

Ce.E 

PR-^ = JJ(1T+-(C + C'^))^)P«-(1T+-2)'^G^+^ 

Ce.z 

In characteristic 2 each factor of the product over Z appears twice, thus justifying their expo¬ 
nent 2 ^. 

By writing Pi = piW+ - po, with pi G K[A], gcd(po,Pi) = 1, max(deg(po), deg(pi)) = 2 
and Po being monic, the divisibility Pi | P transforms into the following polynomial identity 
in 

( - (C + C'^)pi)^)f^ = Pi(P0 -2pi)^ 

C6.Z 

Again the degree of the first factor on the left hand side must be divisible by q (respectively, 
I in characteristic 2 ), and since Po ~ (C + C'^)Pi can be constant or linear for at most one sum 
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C + the degree of the first factor must he + q for g > 4. Also the degree of po — 2 pi must 
be zero since g > 3 and thus the degree of pi is 2. 

In even characteristic po — 2pi = po is a constant, thus po = 1 {po is monic). The involution 
( on Z has no fixed points, and, denoting by Z 2 a set of representatives of Z modulo 

the involution, one obtains 

n += *^1^’ F = C 2 Pi and = 1. 

CG-Z2 

Modulo F one gets F \ ciG — 1 which implies ci G AT. Thus C 2 G AT, pi G Ar[A] and therefore 
PieK[A,U]. 

In odd characteristic the factor corresponding to ( = —1, namely {po + 2pi)~, is coprime 
to the other factors in the product and coprime to pi {po — 2pi ). Hence po + 2pi must be a square 
and its square root must divide G. Moreover, one gets F = cipi. Since = C 2 is a constant 

and Po is monic, one gets ci = 2a, implying pi G A'[A]. Since po + 2pi = Api + C 2 is a square, its 
discriminant is zero, thus C2 G AT and hence Pi G K[A, U]. 

If Si is one of the two dihedral subgroups of order q — 1 (which implies that q is odd), the 

q — 1 

argumentation is similar. The polynomials P and Pi are expressed in terms of V = U 2 and 
then, since U becomes V i-> c ~ yr with c ~ = ± 1 , in terms of IT^ = V + yr 01 

W'_ = V' — respectively. In the first case P is rewritten as 

PY'-{q'^+q) = - {W+ - 2)^(IT| + 2)^G''+^ 

Cez' 

where Z' = P 2 {q+i)i^q 2 ) \ {±1}. By setting Pi = piW[ - po with pi G A:[A], gcd(po,Ai) = 1, 
max(deg(po)) deg(pi)) = I and po being monic, one obtains 

( n (^0 - + =p\^{Po - 2pi)^(po + 2pi)^G''+^ 

CeZ' 

Since one of po ± 2 pi is not constant, the degree of the right hand side exceeds the degree of the 
left hand side for q > 5 which is a contradiction. 

In the second case P is rewritten as 

PY'-(q^+q) = (^ {W'_ - (C - - IT5""^G«+^ 

C,eZ' 

and by setting Pi = piW'_ — po with pi G A'[A], gcd(pO)Pi) = f-, ™ax(deg(po))deg(pi)) = 1 and 
Po being monic, one obtains 

( n (^0 “ = pl^pt~'^G^^^. 

C,&Z' 

Considering the degrees for g > 3 it follows that po must be constant and hence pi is of degree 
one. Since pi is coprime to the first factor on the left hand side, it must divide P'^ which implies 
Pi = P 2 ^ K, contradicting the irreducibility of P. 

The Borel case In this case, rewriting P and Pi in terms of IT = {U^ — U)^ ^ gives 

P = (IT + 1)'?+!^'? - IT'?G^+^ 

and degiy(Pi) = 1, Pi = piIT -po, with pi G K[A], gcd(po,Ai) = 1, max(deg(po), deg(pi)) = q 
and Pi being monic. Then the divisibility Pi | P transforms into the following polynomial identity 
in P[A]: 

{po+PiY^^Fi =piplGi+\ 
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From deg(G'^'''^) = + q, deg(pipQ) > q and deg(F'?) = 2q it follows that the degree of po + pi 

must be q. This implies deg(F'^) = deg(pipQ), thus deg(po) < 2 and therefore deg(pi) = q, since 
q > 2 , and deg(po) = 1- 

Since po + pi is coprime to poPi, it follows 

Po+Pi = ciG, Pi =p‘^, F = C2PP0 and = 1 

for a monic linear polynomial p € 

Exchanging pi and p 2 , if needed, one obtains 

p = A-pi, Po = C3{A- P2), Cl = 1, C2 = 1 and C3 = a. 

Evaluating pQ + pi = G a.i A = Q gives 


Pi + Oip2 + (5 = 0. 

This means that condition (*) does not hold. 

The PSL2 case This case can only occur for odd q, and then P splits as P = SP 1 P 2 with a 
scalar s £ K. The map U (-)■ all for a non-square a G¥g exchanges Pi and P2. Since PSL2(Fq) 
is a normal subgroup of PGL2(Fq), P 2 is invariant under PSL2(Fq) as well. By rewriting P in 
terms of W' = (P'^ — one obtains 

p = (fF'2 ^ Y)^+lpq _ y^l 2 qQq+l ^ s Pl{W') Pl{-W') . 

Denoting by po G K[A\ the constant coefficient of Pi G (P'[A])[!+'] this becomes modulo W' 

= spl 

which implies pi = P 2 £ K, contradicting the irreducibility of P. 

The case PGL2(Fq/) Since PGL2(Fg/) C PSL2(Fq) in odd characteristic, one can reduce this 
case to the previous case as follows. 

Let Ii C {!,...,(/} be the subset of i such that Si is a conjugate of Si by an element in 
PSL2(Fg), and let I2 = {1,... , 5} \ p. These two sets correspond to the two orbits of the action 
of PSL2(Fq) on the Si (or Pi). Both orbits contain | elements and an element in 

PGL2(Fg) \ PSL2(Fq) transfers one orbit into the other. 

Let Pj — Yliei- Pi, j = 1, 2, then P splits as P = SP 1 P 2 , s £ K, and both Pj, j = 1, 2, are 
invariant under PSL2(Fq). Notice that the absolute irreducibility of Pi and P2 was not used in 
the argument in the PSL2 case. 

This completes the proof of Theorem 4. 

4.7 Traps 

In the following Proposition 2 and Proposition 3 are proven. 

Let Q be an irreducible quadratic polynomial in K[X] such that (1, uqX + ui), {X, vqX + ui) 
is a basis of the lattice Lq, so that Q is a scalar multiple of —uqX'^ + {—ui + vq)X + vi = F{—X) 
and has roots —pi and —p 2 - By definition of Lq the pair (/io,/ii) must be in the dual lattice 
(scaled by Q), given by the basis {uqX + ui, —1), (uq^ + vi, —X). 

For the assertions concerning conditions (*) and (**), assume that pi, p 2 £ L\K and that 

p\ + apj + (5 = 0 


holds for J = 1 or j = 2. 
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First consider the case j = 2, i.e., condition {*). To show that —pi, i = 1,2, are roots of 
hiX^ — ho it is sufficient to show this for the basis of the dual lattice of Lq given above. For 
{uqX + ui, — 1) one computes 


-(-Pi) - uoi-pi) - ui = pI - api - l3 + 5 = -ap2 - api - /3 = 0, 
and for [vqX + vi, —X) one obtains 

-{-Pi)(.-Pi) - M-Pi) -vi = (-pf - S)pi - 7 = apip2 -7 = 0. 

Therefore hiX^ — ho is divisible by Q, which is then a trap of level 0. 

In the case j = 1 an analogous calculation shows that —pi, i = 1,2, are roots of hiX^ —ho, 
namely for {uoX + ui, — 1) one has 

-\-P2 ) “ uo{-p2) - Ui= Pl-ap 2 - 13 + 5 = -api - ap 2 - 13 = 0 

and for {vqX + vi, —X) one gets 

k d I 1 

-{-P2)i-P2 ) - M-P 2 ) -Vl = (-pf - 5 )p 2 - 7 = apiP 2 -7 = 0 

kd^^ 1 

Therefore hiX^ — ho is divisible by Q, which is then a trap of level kd. This finishes the 
proof of Proposition 2. 

Regarding Proposition 3, note that a solution {a,B) gives rise to the polynomial Va = 
a{uoX + (F + ui)) + {{Y + vo)X + ui). If, for j = I or j = 2, p is a root of Va mod fj for two 
different values of a, then p is a root of uqX + (F + ui) mod fj and of (F + vo)X + vi mod fj. 
Since 


-X{uoX + (F + ui)) + (F + vo)X + vi = -uoX^ + {-ui + vo)X + vi = F{-X), 

which equals Q up to a scalar, it follows that p is also a root of Q. Furthermore, in the case j = 1 
the polynomial Va mod /i splits completely, so that p G K, contradicting the irreducibility of 
Q, finishing the proof of Proposition 3. 

This completes the proof of Theorem 3. 
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